A brand new vulnerability within the LiteSpeed Cache plugin for WordPress has been recognized that might permit unauthenticated attackers to inject malicious code into web sites.
The flaw, found by TaiYou from Patchstack’s bug bounty program, impacts the plugin’s CSS queue technology course of and impacts over six million energetic installations.
The vulnerability, tracked as CVE-2024-47374, is an unauthenticated saved XSS challenge that might result in privilege escalation or knowledge theft. It exploits the plugin’s “Range Group” performance, which controls cache variations based mostly on person roles.
Attackers can manipulate this performance by way of specifically crafted HTTP headers, injecting dangerous content material immediately into the WordPress admin panel.
“This vulnerability happens as a result of the code that handles the view of the queue doesn’t implement sanitization and output escaping,” Patchstack defined.
For the exploit to be efficient, two settings have to be enabled within the LiteSpeed Cache plugin:
-
CSS Mix
-
Generate UCSS
The primary one combines a number of CSS information right into a single file, lowering server load and bettering efficiency. Nevertheless, when energetic, it permits the susceptible code to be triggered, opening the door for an attacker to take advantage of the flaw.
The second, alternatively, generates distinctive CSS information for every web page, tailor-made to the content material being displayed. Whereas this characteristic enhances optimization, it additionally makes the vulnerability exploitable, because it exposes the queue for CSS technology to doubtlessly malicious inputs.
Learn extra on WordPress plugin vulnerabilities: 4 Million WordPress Websites Susceptible to LiteSpeed Plugin Flaw
LiteSpeed has addressed the vulnerability in model 6.5.1, which implements correct enter sanitization utilizing the esc_html operate to stop malicious code injection.
Customers of the LiteSpeed Cache plugin are strongly suggested to replace to the newest model to safeguard their websites from potential assaults.
“We suggest making use of escaping and sanitization to any message that shall be displayed as an admin discover,” Patchstack added. “We additionally suggest making use of a correct permission or authorization test to the registered relaxation route endpoints.”
